
[Jun-2026] The PECB ISO-IEC-27035-Lead-Incident-Manager Exam Test For Brief Preparation
Revolutionary Guide To Exam PECB Dumps
NEW QUESTION # 16
Scenario 7: Located in central London, Konzolo has become a standout innovator in the cryptocurrency field.
By introducing its unique cryptocurrency, Konzolo has contributed to the variety of digital currencies and prioritized enhancing the security and reliability of its offerings.
Konzolo aimed to enhance its systems but faced challenges in monitoring the security of its own and third- party systems. These issues became especially evident during an incident that caused several hours of server downtime This downtime was primarily caused by a third-party service provider that failed to uphold strong security measures, allowing unauthorized access.
In response to this critical situation, Konzolo strengthened its information security infrastructure. The company initiated a comprehensive vulnerability scan of its cryptographic wallet software, a cornerstone of its digital currency offerings The scan revealed a critical vulnerability due to the software using outdated encryption algorithms that are susceptible to decryption by modern methods that posed a significant risk of asset exposure Noah, the IT manager, played a central role in this discovery With careful attention to detail, he documented the vulnerability and communicated the findings to the incident response team and management.
Acknowledging the need for expertise in navigating the complexities of information security incident management. Konzolo welcomed Paulina to the team. After addressing the vulnerability and updating the cryptographic algorithms, they recognized the importance of conducting a thorough investigation to prevent future vulnerabilities. This marked the stage for Paulina s crucial involvement. She performed a detailed forensic analysis of the incident, employing automated and manual methods during the collection phase. Her analysis provided crucial insights into the security breach, enabling Konzolo to understand the depth of the vulnerability and the actions required to mitigate it.
Paulina also played a crucial role in the reporting phase, as her comprehensive approach extended beyond analysis. By defining clear and actionable steps for future prevention and response, she contributed significantly to developing a resilient information security incident management system based on ISO/IEC
27035-1 and 27035-2 guidelines. This strategic initiative marked a significant milestone in Konzolo's quest to strengthen its defenses against cyber threats According to scenario 7, what type of incident has occurred at Konzolo?
- A. High severity incident
- B. Critical severity incident
- C. Medium severity incident
Answer: A
Explanation:
Comprehensive and Detailed Explanation From Exact Extract:
Severity classification of an incident under ISO/IEC 27035-2:2016 is determined by factors such as potential data exposure, business disruption, and impact on critical services. In this scenario, the server downtime caused by a third-party breach and a vulnerability in cryptographic wallet software-capable of leading to asset exposure-signifies serious business and operational risks.
Although the vulnerability was critical, no actual asset theft or breach was confirmed. Therefore, while serious, the incident does not reach the "critical" threshold (which would typically involve data exfiltration, irreversible loss, or public impact). The appropriate classification is "High Severity." Reference:
* ISO/IEC 27035-2:2016, Clause 6.3.1: "Severity is determined by the actual or potential impact on business operations, data, reputation, and legal obligations."
* Annex A (Example Severity Levels): "High-severity incidents involve confirmed vulnerabilities with significant potential for impact, such as financial loss or regulatory violations." Correct answer: B
-
NEW QUESTION # 17
Scenario 7: Located in central London, Konzolo has become a standout innovator in the cryptocurrency field.
By introducing its unique cryptocurrency, Konzolo has contributed to the variety of digital currencies and prioritized enhancing the security and reliability of its offerings.
Konzolo aimed to enhance its systems but faced challenges in monitoring the security of its own and third- party systems. These issues became especially evident during an incident that caused several hours of server downtime This downtime was primarily caused by a third-party service provider that failed to uphold strong security measures, allowing unauthorized access.
In response to this critical situation, Konzolo strengthened its information security infrastructure. The company initiated a comprehensive vulnerability scan of its cryptographic wallet software, a cornerstone of its digital currency offerings The scan revealed a critical vulnerability due to the software using outdated encryption algorithms that are susceptible to decryption by modern methods that posed a significant risk of asset exposure Noah, the IT manager, played a central role in this discovery With careful attention to detail, he documented the vulnerability and communicated the findings to the incident response team and management.
Acknowledging the need for expertise in navigating the complexities of information security incident management. Konzolo welcomed Paulina to the team. After addressing the vulnerability and updating the cryptographic algorithms, they recognized the importance of conducting a thorough investigation to prevent future vulnerabilities. This marked the stage for Paulina s crucial involvement. She performed a detailed forensic analysis of the incident, employing automated and manual methods during the collection phase. Her analysis provided crucial insights into the security breach, enabling Konzolo to understand the depth of the vulnerability and the actions required to mitigate it.
Paulina also played a crucial role in the reporting phase, as her comprehensive approach extended beyond analysis. By defining clear and actionable steps for future prevention and response, she contributed significantly to developing a resilient information security incident management system based on ISO/IEC
27035-1 and 27035-2 guidelines. This strategic initiative marked a significant milestone in Konzolo's quest to strengthen its defenses against cyber threats Based on scenario 7, a vulnerability scan at Konzolo revealed a critical vulnerability in the cryptographic wallet software that could lead to asset exposure. Noah, the IT manager, documented the event and communicated it to the incident response team and management. Is this acceptable?
- A. No, he should have waited for confirmation of an actual asset exposure before documenting and communicating the vulnerability
- B. Yes, he should document the event and communicate it to the incident response team and management
- C. No, he should have postponed the documentation process until a full investigation is completed
Answer: B
Explanation:
Comprehensive and Detailed Explanation From Exact Extract:
According to ISO/IEC 27035-1:2016, an information security event should be documented and communicated as soon as it is identified-particularly if it has the potential to escalate into an incident. Timely documentation and escalation enable the organization to take immediate and coordinated actions, which are essential to managing risk effectively.
Clause 6.2.1 of ISO/IEC 27035-1 states that events, even before confirmation as incidents, must be logged and assessed to determine appropriate response measures. Waiting until after a breach occurs or delaying documentation may violate both internal policies and regulatory requirements, especially in high-risk domains like cryptocurrency.
Therefore, Noah's actions align fully with the recommended practices outlined in ISO/IEC 27035.
Reference:
* ISO/IEC 27035-1:2016, Clause 6.2.1: "All identified information security events should be recorded and communicated to ensure appropriate assessment and response."
* Clause 6.2.2: "Early communication and documentation are crucial to managing potential incidents effectively." Correct answer: C
-
NEW QUESTION # 18
What is the purpose of incident categorization within the incident management lifecycle?
- A. To automatically assign incidents to technicians
- B. To determine the priority of incidents
- C. To sort incidents based on the disrupted IT or business domain
Answer: C
Explanation:
Comprehensive and Detailed Explanation From Exact Extract:
According to ISO/IEC 27035-1:2016 and ISO/IEC 27035-2:2016, incident categorization is a vital step in the incident management lifecycle. Its primary purpose is to sort and group incidents based on specific criteria so that appropriate actions and escalation paths can be taken.
One of the core objectives of categorization is to sort incidents by the domain or system affected - whether it' s a database, email system, network, or physical server. This enables organizations to assign incidents to relevant subject matter experts and apply the right procedures, based on the affected business function or IT component.
While categorization can influence prioritization (option A), the main intent is classification based on nature and domain. Automatic technician assignment (option B) may be supported by some service management platforms but is not the foundational purpose of incident categorization under ISO 27035.
Reference Extracts:
ISO/IEC 27035-1:2016, Clause 6.1.2 - "Categorization should identify the domain or component affected to enable appropriate response and escalation." ISO/IEC 27035-2:2016, Clause 7.3 - "Incidents should be categorized based on the type of disruption they cause and the business or technical domain they impact." Therefore, the correct answer is C: To sort incidents based on the disrupted IT or business domain.
-
NEW QUESTION # 19
Who is responsible for providing threat intelligence and supporting the lead investigator within an incident response team?
- A. IT support staff
- B. Team leader
- C. Analysts and researchers
Answer: C
Explanation:
Comprehensive and Detailed Explanation From Exact Extract:
In an Incident Response Team (IRT), analysts and researchers are responsible for threat intelligence, data analysis, malware investigation, and providing in-depth technical insights. Their work directly supports the lead investigator by identifying root causes, attack vectors, indicators of compromise (IOCs), and evaluating threat actor tactics.
According to ISO/IEC 27035-2:2016, these roles are part of the broader support functions within an IRT and are crucial for technical depth and timely resolution of incidents.
Option A (IT support staff) may provide infrastructure-level assistance but typically lacks threat analysis capabilities. Option C (team leader) oversees coordination and communication but is not the primary intelligence resource.
Reference Extracts:
ISO/IEC 27035-2:2016, Clause 7.2.3: "Support roles may include malware analysts, forensic experts, and threat intelligence researchers." ENISA CSIRT Training Guide: "Analysts contribute to ongoing investigations by identifying attack patterns and supporting mitigation decisions." Correct answer: B
-
NEW QUESTION # 20
Who is responsible for approving an organization's information security incident management policy?
- A. Incident coordinator
- B. Incident manager
- C. Top management
Answer: C
Explanation:
Comprehensive and Detailed Explanation:
According to ISO/IEC 27001:2022 and ISO/IEC 27035-2:2016, top management holds accountability for ensuring the alignment of security policies with organizational objectives. Policy approval, particularly for something as critical as incident management, must be authorized by top-level decision-makers to ensure authority, enforcement, and resource support.
Reference:
ISO/IEC 27001:2022, Clause 5.1: "Top management shall demonstrate leadership and commitment...
including approval of the information security policy."
ISO/IEC 27035-2:2016, Clause 4.3: "The policy should be approved and issued by top management." Correct answer: A
-
NEW QUESTION # 21
What determines the frequency of reviewing an organization's information security incident management strategy?
- A. The nature, scale, and complexity of the organization
- B. The frequency of audits conducted by external agencies
- C. The number of employees in the organization
Answer: A
Explanation:
Comprehensive and Detailed Explanation From Exact Extract:
ISO/IEC 27035-1:2016 Clause 7.1 explicitly states that the frequency and depth of reviewing the incident management strategy should be based on the organization's size, complexity, and threat environment. Larger or more complex environments may require more frequent reviews to remain agile and responsive.
Audit schedules (Option C) may influence timing, but they do not dictate the necessary frequency for strategic reviews. The number of employees (Option A) alone is not a sufficient factor.
Reference:
ISO/IEC 27035-1:2016 Clause 7.1: "The frequency and scope of reviews should be determined by the nature, scale, and complexity of the organization." Correct answer: B
-
NEW QUESTION # 22
Scenario 3: L&K Associates is a graphic design firm headquartered in Johannesburg, South Africa. It specializes in providing innovative and creative design solutions to clients across various industries. With offices in multiple parts of the country, they effectively serve clients, delivering design solutions that meet their unique needs and preferences.
In its commitment to maintaining information security, L&K Associates is implementing an information security incident management process guided by ISO/IEC 27035-1 and ISO/IEC 27035-2. Leona, the designated leader overseeing the implementation of the incident management process, customized the scope of incident management to align with the organization's unique requirements. This involved specifying the IT systems, services, and personnel involved in the incident management process while excluding potential incident sources beyond those directly related to IT systems and services.
Based on the scenario above, answer the following question:
Is the incident management scope correctly determined at L&K Associates?
- A. No, the incident management scope is too broad, encompassing all IT systems regardless of relevance
- B. Yes, the incident management scope is customized to align with the organization's unique needs
- C. No, the incident management scope is overly restrictive, excluding potential incident sources beyond those directly related to IT systems and services
Answer: B
Explanation:
Comprehensive and Detailed Explanation From Exact Extract:
ISO/IEC 27035-1:2016 encourages organizations to define the scope of incident management based on their own risk environment, business model, and available resources. This scope should be tailored to focus on the systems, services, and personnel that are most critical and relevant to the organization's operations.
In this scenario, Leona appropriately aligned the scope with L&K Associates' specific IT infrastructure and business processes, deliberately including relevant IT systems and associated personnel while excluding unrelated sources. This customization is consistent with best practices and ensures that the incident management process remains focused, efficient, and manageable.
ISO/IEC 27035-2, Clause 4.2, emphasizes that "the scope of incident management should be defined in a way that it supports the organization's objectives and risk environment." Therefore, the correct answer is A: Yes, the incident management scope is customized to align with the organization's unique needs.
-
NEW QUESTION # 23
What role does the incident coordinator play during the response phase?
- A. Coordinating the activities of IRTs and monitoring response time
- B. Initiating the response actions immediately
- C. Assessing if the event is a potential or confirmed security incident
Answer: A
Explanation:
Comprehensive and Detailed Explanation From Exact Extract:
The incident coordinator plays a vital managerial and operational role in guiding and synchronizing the efforts of Incident Response Teams (IRTs). ISO/IEC 27035-2:2016, Clause 7.2.2 describes the role as one that involves coordination of resources, communication, and oversight to ensure that all phases of the response are executed according to procedure and within acceptable timelines.
Responsibilities include:
Assigning roles and responsibilities
Overseeing containment, eradication, and recovery efforts
Communicating with stakeholders
Tracking incident metrics and resolution progress
Initiating the response (Option B) is typically a decision taken collectively or by senior management or the IMT after classification. Assessing the nature of an event (Option C) falls under the detection and classification phase, not the coordinator's primary role during response.
Reference:
ISO/IEC 27035-2:2016, Clause 7.2.2: "The incident coordinator is responsible for leading and coordinating the incident response process, ensuring timely and efficient execution." Correct answer: A
-
NEW QUESTION # 24
Scenario 4: ORingo is a company based in Krakow, Poland, specializing in developing and distributing electronic products for health monitoring and heart rate measurement applications. With a strong emphasis on innovation and technological advancement, ORingo has established itself as a trusted provider of high-quality, reliable devices that enhance the well being and healthcare capabilities of individuals and healthcare professionals alike.
As part of its commitment to maintaining the highest standards of information security, ORingo has established an information security incident management process This process aims to ensure that any potential threats are swiftly identified, assessed, and addressed to protect systems and information. However, despite these measures, an incident response team member at ORingo recently detected a suspicious state in their systems operational data, leading to the decision to shut down the company-wide system until the anomaly could be thoroughly investigated Upon detecting the threat, the company promptly established an incident response team to respond to the incident effectively. The team's responsibilities encompassed identifying root causes, uncovering hidden vulnerabilities, and implementing timely resolutions to mitigate the impact of the incident on ORingo's operations and customer trust.
In response to the threat detected across its cloud environments. ORingo employed a sophisticated security tool that broadened the scope of incident detection and mitigation This tool covers network traffic, doud environments, and potential attack vectors beyond traditional endpoints, enabling ORingo to proactively defend against evolving cybersecurity threats During a routine check, the IT manager at ORingo discovered that multiple employees lacked awareness of proper procedures following the detection of a phishing email. In response, immediate training sessions on information security policies and incident response were scheduled for all employees, emphasizing the importance of vigilance and adherence to established protocols in safeguarding ORingo's sensitive data and assets.
As part of the training initiative. ORingo conducted a simulated phishing attack exercise to assess employee response and knowledge. However, an employee inadvertently informed an external partner about the 'attack'' during the exercise, highlighting the importance of ongoing education and reinforcement of security awareness principles within the organization.
Through its proactive approach to incident management and commitment to fostering a culture of security awareness and readiness. ORingo reaffirms its dedication to safeguarding the integrity and confidentiality of its electronic products and ensuring the trust and confidence of its customers and stakeholders worldwide.
According to scenario 4, in response to a detected threat across its cloud environments, which tool did ORingo utilize to extend its threat detection and response capabilities beyond traditional endpoints?
- A. SIEM
- B. XDR
- C. IPS
Answer: B
Explanation:
Comprehensive and Detailed Explanation:
XDR (Extended Detection and Response) is a security solution that integrates and correlates data across multiple domains including endpoints, networks, cloud workloads, and more. In the scenario, the tool is described as capable of covering network traffic, cloud environments, and beyond-characteristics that align directly with the capabilities of XDR.
IPS (Intrusion Prevention System) focuses narrowly on network perimeter security.
SIEM (Security Information and Event Management) is primarily focused on log aggregation and analysis rather than real-time detection and automated response across multiple layers.
Reference:
NIST SP 800-207 and modern security frameworks define XDR as a centralized detection and response platform with cross-domain visibility.
Therefore, the correct answer is A: XDR
-
NEW QUESTION # 25
Who should have access to training materials on information security incident management?
- A. All personnel, including new employees, third-party users, and contractors
- B. Only personnel involved in technical roles
- C. Only internal interested parties
Answer: A
Explanation:
Comprehensive and Detailed Explanation From Exact Extract:
ISO/IEC 27035 and ISO/IEC 27001 emphasize that information security awareness and training must extend to all personnel, not just those in technical roles. Clause 7.3.2 of ISO/IEC 27035-2 specifically states that
"training should be made available to all staff," including non-technical users, third-party service providers, contractors, and any personnel with access to organizational assets or systems.
The rationale is that every user is a potential entry point for cyber threats. Whether through phishing, social engineering, or misconfiguration, untrained staff can unintentionally compromise the organization's security posture. Therefore, organizations must ensure that everyone-especially new hires, contractors, and third- party partners-is trained on incident reporting procedures, security responsibilities, and escalation paths.
Reference Extracts:
ISO/IEC 27035-2:2016, Clause 7.3.2: "Training and awareness activities should be targeted at all users of the organization's systems and services." ISO/IEC 27001:2022, Control 6.3: "Ensure that personnel are aware of their information security responsibilities." Correct answer: C
-
NEW QUESTION # 26
Which element should an organization consider when identifying the scope of their information security incident management?
- A. Hardcopy information
- B. Both A and B
- C. Electronic information
Answer: B
Explanation:
Comprehensive and Detailed Explanation:
According to ISO/IEC 27035-1:2016 and ISO/IEC 27001:2022, when defining the scope of an information security incident management system, organizations must consider all forms of information-whether digital or physical-that are relevant to the business. Incidents can affect hardcopy (e.g., paper-based records) and electronic data (e.g., emails, files), so both must be included in the scope assessment.
Reference:
ISO/IEC 27001:2022, Clause 4.3: "The scope shall consider interfaces and dependencies between activities performed by the organization and those that are outsourced." ISO/IEC 27035-1:2016, Clause 4.2.1: "Information in all formats-including printed or written-should be protected." Correct answer: C
-
NEW QUESTION # 27
Scenario 2: NoSpace, a forward-thinking e-commerce store based in London, is renowned for its diverse products and advanced technology. To enhance its information security, NoSpace implemented an ISMS according to ISO/IEC 27001 to better protect customer data and ensure business continuity. Additionally, the company adopted ISO/IEC 27035-1 and ISO/IEC 27035-2 guidelines. Mark, the incident manager at NoSpace, strategically led the entire implementation. He played a crucial role in aligning the company's ISMS with the requirements specified in ISO/IEC 27001, using ISO/IEC 27035-1 guidelines as the foundation.
During a routine internal audit a minor anomaly was detected in the data traffic that could potentially indicate a security threat. Mark was immediately notified to assess the situation. Then, Mark and his team immediately escalated the incident to crisis management to handle the potential threat without further assessment. The decision was made to ensure a swift response.
After resolving the situation, Mark decided to update the incident management process. During the initial phase of incident management, Mark recognized the necessity of updating NoSpace's information security policies. This included revising policies related to risk management at the organizational level as well as for specific systems, services, or networks. The second phase of the updated incident management process included the assessment of the information associated with occurrences of information security events and the importance of classifying events and vulnerabilities as information security incidents. During this phase, he also introduced a 'count down' process to expedite the evaluation and classification of occurrences, determining whether they should be recognized as information security incidents.
Mark developed a new incident management policy to enhance the organization's resilience and adaptability in handling information security incidents. Starting with a strategic review session with key stakeholders, the team prioritized critical focus areas over less impactful threats, choosing not to include all potential threats in the policy document. This decision was made to keep the policy streamlined and actionable, focusing on the most significant risks identified through a risk assessment. The policy was shaped by integrating feedback from various department heads to ensure it was realistic and enforceable. Training and awareness initiatives were tailored to focus only on critical response roles, optimizing resource allocation and focusing on essential capabilities.
Based on scenario 2, NoSpace used the ISO/IEC 27035-1 guidelines to meet the ISMS requirements specified in ISO/IEC 27001. Is this acceptable?
- A. No, guidelines provided in ISO/IEC 27035-1 do not apply to ISMS requirements specified in ISO/IEC
27001 - B. No, ISO/IEC 27035-1 is designed for incident management and response and does not address the broader scope of ISMS requirements specified in ISO/IEC 27001
- C. Yes, another objective associated with ISO/IEC 27035-1 is to provide guidance on meeting the ISMS requirements specified in ISO/IEC 27001
Answer: C
Explanation:
-
Comprehensive and Detailed Explanation From Exact Extract:
Yes, the use of ISO/IEC 27035-1 to support compliance with ISO/IEC 27001 ISMS requirements is fully acceptable and encouraged. ISO/IEC 27035-1:2016 is explicitly designed to support organizations in establishing and maintaining effective information security incident management processes. These processes are a crucial component of a well-functioning Information Security Management System (ISMS), which is governed by ISO/IEC 27001.
Clause 6.1.3 and Clause A.16.1 of ISO/IEC 27001:2022 (formerly 2013) require that organizations establish and respond to information security incidents, including detection, response, and learning from such events.
ISO/IEC 27035-1 directly supports these controls by providing specific guidance on how to identify, manage, and learn from information security incidents in a structured and repeatable way.
Moreover, ISO/IEC 27035-1 is referenced by ISO/IEC 27001 Annex A (specifically A.5.24 to A.5.27 and A.
5.31 in the 2022 version), supporting requirements related to incident management, monitoring, and improvement. The ISO 27035 series acts as a detailed implementation guide for these controls, helping organizations meet both the management and operational requirements of the ISMS.
Therefore, Mark's decision to use ISO/IEC 27035-1 guidelines to align and enhance the incident management aspects of the ISMS is both appropriate and aligned with international best practices.
Reference Extracts:
* ISO/IEC 27035-1:2016, Clause 0.2: "This document also supports the information security requirements defined in ISO/IEC 27001 and provides detailed guidance on incident management activities relevant to an ISMS."
* ISO/IEC 27001:2022, Annex A (A.5.24-A.5.27): "Information security incident management should be based on established processes for detection, response, and learning."
* ISO/IEC 27001:2022, Clause 6.1.3: "Information security risks must be identified and treated as part of the ISMS." Therefore, the correct answer is A: Yes, another objective associated with ISO/IEC 27035-1 is to provide guidance on meeting the ISMS requirements specified in ISO/IEC 27001.
NEW QUESTION # 28
During an ongoing cybersecurity incident investigation, the Incident Management Team (IMT) at a cybersecurity company identifies a pattern similar to recent attacks on other organizations. According to best practices, what actions should the IMT take?
- A. Delay any external communication until a thorough internal review is conducted, and the impact of the incident is fully understood to prevent any premature information leakage that could affect ongoing mitigation efforts
- B. Proactively exchange technical information and incident insights with trusted Incident Response Teams (IRTs) from similar organizations while adhering to predefined information-sharing protocols to improve collective security postures
- C. Focus on internal containment and eradication processes, consulting external experts strictly for legal and public relations management
Answer: B
Explanation:
Comprehensive and Detailed Explanation From Exact Extract:
ISO/IEC 27035 strongly encourages information sharing among trusted parties to enhance collective incident response capabilities and reduce the broader impact of cyber threats. Clause 6.5.6 in ISO/IEC 27035-1 highlights the importance of cooperation and communication with external parties, including industry-specific information-sharing forums, CERTs/CSIRTs, and trusted partners.
The practice of proactive information exchange allows organizations to:
Detect coordinated or widespread attacks
Accelerate response through shared indicators of compromise (IOCs)
Benefit from collective intelligence and incident analysis
Build sector-wide resilience
However, such exchanges must occur within well-defined protocols that preserve confidentiality, legal compliance, and operational integrity.
Option B and C reflect overly cautious or siloed approaches that may delay response or reduce the effectiveness of collaborative efforts.
Reference Extracts:
ISO/IEC 27035-1:2016, Clause 6.5.6: "Incident management should consider the importance of trusted collaboration, sharing of incident information, and threat intelligence between relevant entities." ENISA and FIRST.org also support this collaborative approach in their best practices.
Correct answer: A
-
NEW QUESTION # 29
Based on the categorization of information security incidents, incidents such as abuse of rights, denial of actions, and misoperations are categorized as:
- A. Compromise of functions incident
- B. Breach of rule incident
- C. Compromise of information incident
Answer: B
Explanation:
Comprehensive and Detailed Explanation From Exact Extract:
ISO/IEC 27035-1 classifies incidents into several categories based on the nature of their impact. Incidents involving the abuse of user rights, denial of authorized activities, or improper system use are considered violations of internal policies or rules. These fall under the category of "Breach of Rule" incidents.
This category emphasizes that while data or functionality may not be directly compromised, internal governance, permissions, or acceptable use policies have been violated. These incidents are crucial to detect as they often indicate insider threats or misconfigured permissions.
Reference:
ISO/IEC 27035-1:2016, Annex A.2.3: "Breach of Rule" incidents include abuse of privileges, unauthorized activities, and actions violating organizational policies.
Correct answer: C
-
NEW QUESTION # 30
Scenario 5: Located in Istanbul, Turkey, Alura Hospital is a leading medical institution specializing in advanced eye surgery and vision care. Renowned for its modern facilities, cutting-edge technology, and highly skilled staff, Alura Hospital is committed to delivering exceptional patient care. Additionally, Alura Hospital has implemented the ISO/IEC 27035 standards to enhance its information security incident management practices.
At Alura Hospital, the information security incident management plan is a critical component of safeguarding patient data and maintaining the integrity of its medical services. This comprehensive plan includes instructions for handling vulnerabilities discovered during incident management. According to this plan, when new vulnerabilities are discovered, Mehmet is appointed as the incident handler and is authorized to patch the vulnerabilities without assessing their potential impact on the current incident, prioritizing patient data security above all else.
Recognizing the importance of a structured approach to incident management, Alura Hospital has established four teams dedicated to various aspects of incident response. The planning team focuses on implementing security processes and communicating with external organizations. The monitoring team is responsible for security patches, upgrades, and security policy implementation. The analysis team adjusts risk priorities and manages vulnerability reports, while the test and evaluation team organizes and performs incident response tests to ensure preparedness.
During an incident management training session, staff members at Alura Hospital were provided with clear roles and responsibilities. However, a technician expressed uncertainty about their role during a data integrity incident, as the manager assigned them a role unrelated to their expertise. This decision was made to ensure that all staff members possess versatile skills and are prepared to handle various scenarios effectively.
Additionally, Alura Hospital realized it needed to communicate better with stakeholders during security incidents. The hospital discovered it was not adequately informing stakeholders and that relevant information must be provided using formats, language, and media that meet their needs. This would enable them to participate fully in the incident response process and stay informed about potential risks and mitigation strategies.
Also, the hospital has experienced frequent network performance issues affecting critical hospital systems and increased sophisticated cyberattacks designed to bypass traditional security measures. So, it has deployed an external firewall. This action is intended to strengthen the hospital's network security by helping detect threats that have already breached the perimeter defenses. The firewall's implementation is a part of the hospital's broader strategy to maintain a robust and secure IT infrastructure, which is crucial for protecting sensitive patient data and ensuring the reliability of critical hospital systems. Alura Hospital remains committed to integrating state-of-the-art technology solutions to uphold the highest patient care and data security standards.
Based on scenario 5, the hospital decided to deploy an external firewall to detect threats that have already breached the perimeter defenses in response to frequent network performance issues affecting critical hospital systems. Is this recommended?
- A. Deploying an external firewall to detect threats that have already breached the perimeter defenses
- B. No, they should have deployed an intrusion detection system to identify and alert the incident response team of the breach
- C. No, they should have implemented a cloud-based antivirus solution instead of deploying an external firewall
Answer: A
Explanation:
Comprehensive and Detailed Explanation From Exact Extract:
ISO/IEC 27035-2:2016 (Information Security Incident Management - Part 2: Guidelines to Plan and Prepare for Incident Response) provides specific guidance on implementing protective technologies that enhance detection, prevention, and response to information security incidents. Among the recommendations, deploying firewalls, intrusion detection systems (IDS), intrusion prevention systems (IPS), and other layered security mechanisms are considered essential practices in ensuring network and system resilience.
In this case, Alura Hospital experienced repeated network performance issues and targeted cyberattacks. Their decision to deploy an external firewall is appropriate and aligns with best practices outlined in ISO/IEC
27035-2, especially for a healthcare institution handling sensitive patient data. External firewalls act as a network barrier that not only prevents unauthorized access but also helps monitor and detect anomalies or threats that may have already breached traditional perimeter defenses. This is particularly important in environments where traditional safeguards are being bypassed by sophisticated attackers.
While intrusion detection systems (option C) are also important, the scenario mentions that the firewall is being used as part of a broader layered defense system and is meant to detect already-breached threats. Cloud- based antivirus solutions (option B) are not a substitute for firewalls in terms of network protection and would not adequately address the complex, targeted threats that Alura is facing.
Reference Extracts from ISO/IEC 27035-2:2016:
Clause 7.3.2: "Organizations should implement network and system security controls such as firewalls, IDS
/IPS, and anti-malware tools to monitor and restrict unauthorized access." Annex B (Example Preparatory Activities): "Firewalls are vital components in detecting and preventing unauthorized traffic, especially when placed at external network perimeters." Thus, deploying an external firewall in this context is a recommended and justified security measure. The correct answer is: A.
-
NEW QUESTION # 31
Scenario 3: L&K Associates is a graphic design firm headquartered in Johannesburg, South Africa. It specializes in providing innovative and creative design solutions to clients across various industries. With offices in multiple parts of the country, they effectively serve clients, delivering design solutions that meet their unique needs and preferences.
In its commitment to maintaining information security, L&K Associates is implementing an information security incident management process guided by ISO/IEC 27035-1 and ISO/IEC 27035-2. Leona, the designated leader overseeing the implementation of the incident management process, customized the scope of incident management to align with the organization's unique requirements. This involved specifying the IT systems, services, and personnel involved in the incident management process while excluding potential incident sources beyond those directly related to IT systems and services.
According to scenario 3, Leona decided to initially include only the elements provided in Clause 4.3 of ISO
/IEC 27035-2, Information security incident management policy content, in the incident management policy.
Is this acceptable?
- A. No, clause 4.3 of ISO/IEC 27035-2 does not cover elements for an effective incident management policy
- B. Yes, because as a minimum, the policy must cover the elements provided in clause 4.3 of ISO/IEC
27035-2 - C. Yes, because Leona has conducted a thorough risk assessment to identify potential gaps in the incident management policy beyond the scope of clause 4.3 of ISO/IEC 27035-2
Answer: B
Explanation:
Comprehensive and Detailed Explanation From Exact Extract:
Clause 4.3 of ISO/IEC 27035-2:2016 outlines the minimum content requirements for an effective incident management policy. These include:
Purpose and objectives of the policy
Scope and applicability
Roles and responsibilities
Key terminology and definitions
High-level processes for incident detection, reporting, response, and learning Obligations of internal stakeholders Leona's decision to base the initial policy draft on Clause 4.3 is fully compliant and appropriate, as it ensures foundational consistency. ISO/IEC 27035-2 explicitly states that these elements form the minimum baseline for effective policy creation, and the document can be expanded later as needed.
Reference:
ISO/IEC 27035-2:2016, Clause 4.3: "The information security incident management policy should, at a minimum, contain the following elements..." Therefore, the correct answer is B: Yes, because as a minimum, the policy must cover the elements provided in clause 4.3 of ISO/IEC 27035-2.
-
NEW QUESTION # 32
Scenario 8: Moneda Vivo, headquartered in Kuala Lumpur. Malaysia, is a distinguished name in the banking sector. It is renowned for its innovative approach to digital banking and unwavering commitment to information security. Moneda Vivo stands out by offering various banking services designed to meet the needs of its clients. Central to its operations is an information security incident management process that adheres to the recommendations of ISO/IEC 27035-1 and 27035-2.
Recently. Moneda Vivo experienced a phishing attack aimed at its employees Despite the bank's swift identification and containment of the attack, the incident led to temporary service outages and data access issues, underscoring the need for improved resilience The response team compiled a detailed review of the attack, offering valuable insights into the techniques and entry points used and identifying areas for enhancing their preparedness.
Shortly after the attack, the bank strengthened its defense by implementing a continuous review process to ensure its incident management procedures and systems remain effective and appropriate While monitoring the incident management process, a trend became apparent. The mean time between similar incidents decreased after a few occurrences; however, Moneda Vivo strategically ignored the trend and continued with regular operations This decision was rooted in a deep confidence in its existing security measures and incident management protocols, which had proven effective in quick detection and resolution of issues Moneda Vivo's commitment to transparency and continual improvement is exemplified by its utilization of a comprehensive dashboard. This tool provides real time insights into the progress of its information security incident management, helping control operational activities and ensure that processes stay within the targets of productivity, quality, and efficiency. However, securing its digital banking platform proved challenging.
Following a recent upgrade, which included a user interface change to its digital banking platform and a software update, Moneda Vivo recognized the need to immediately review its incident management process for accuracy and completeness. The top management postponed the review due to financial and time constraints.
Based on scenario 8, Moneda Vivo ignored the trend and continued regular operations when the mean time between the same types of incidents decreased after a few occurrences. Is this acceptable?
- A. No, when the mean time between the same types of incidents decreases, a study should be necessary to confirm that the incidents are unrelated
- B. No, when the mean time between the same types of incidents decreases, a study should be conducted to discover why
- C. When the mean time between the same types of incidents decreases after a few occurrences, it shows that the incidents are becoming less significant
Answer: B
Explanation:
Comprehensive and Detailed Explanation From Exact Extract:
ISO/IEC 27035-1 encourages organizations to monitor metrics, such as the frequency of incident types, as part of continual improvement (Clause 7.3). A decreasing mean time between incidents (MTBI) may indicate increased threat frequency, weakened controls, or emerging vulnerabilities. Ignoring such trends can prevent timely corrective actions and weaken overall resilience.
Instead of assuming the incidents are less significant, ISO guidance suggests conducting root cause analysis and trend evaluations when patterns like this emerge.
Reference:
ISO/IEC 27035-1:2016, Clause 7.3: "Monitoring and measurement of the incident management process should include trend analysis to identify recurring issues or new patterns." Correct answer: C
-
NEW QUESTION # 33
......
PECB ISO-IEC-27035-Lead-Incident-Manager Exam Syllabus Topics:
| Topic | Details |
|---|---|
| Topic 1 |
|
| Topic 2 |
|
| Topic 3 |
|
| Topic 4 |
|
ISO-IEC-27035-Lead-Incident-Manager Free Study Guide! with New Questions: https://www.free4torrent.com/ISO-IEC-27035-Lead-Incident-Manager-braindumps-torrent.html
Pass ISO-IEC-27035-Lead-Incident-Manager Exam Latest Practice Questions: https://drive.google.com/open?id=1OMkFi9RS1b5QcNZ8jnp466EzrmNJE9Ho